Mark Zuckerberg, Facebook’s CEO, has promised the company will investigate apps that had access to ‘large amounts of information’ and audit any that show ‘suspicious activity’.
Photograph: Justin Sullivan/Getty Images

This larger figure, which included over a million UK users, was buried in the penultimate paragraph of a blogpost by the company’s chief technology officer, Mike Schroepfer, published on Wednesday, which also provided updates on the changes Facebook was making to better protect user information.

Mark Zuckerberg, during a conference call shortly after the post was published, said: “We didn’t take a broad enough view on what our responsibility was and that was a huge mistake. That was my mistake.”

We need to build a new social contract for the digital age | Kevin Keith

Read more

When asked if anyone had been fired over the data scandal, the CEO replied: “I started this place, I run it, I’m responsible for what happens here. I’m going to do the best job I can going forward. I’m not looking to throw anyone under the bus for mistakes I’ve made.”

Zuckerberg’s latest mea culpa comes one week before he is due to face questioning from members of Congress over the data scandal. He will appear before the House energy and commerce committee on Wednesday 11 April.

Schroepfer, in his blogpost, outlined sweeping changes to the way third-party developers can interact with Facebook via APIs, the digital interfaces through which third parties can interact with and extract data from the platform.

The company will no longer allow developers to access the guest list or wall posts of an event scheduled on Facebook, while developers seeking to access the data of Facebook group members will first need to get the permission from a group administrator to ensure “they benefit the group”.

Facebook is also tightening its review process for apps that request access to information such as check-ins, likes, photos and posts, making developers agree to strict requirements. Apps will no longer be allowed access to personal information such as religious or political views, relationship status, education, work history, fitness activity, news habits and activity related to news, video and games consumption.

The company is also removing a tool that allows people to search for someone on Facebook using their phone number or email address because, Schroepfer said, “malicious actors have also abused these features to scrape public profile information”.

Zuckerberg also pointed out that privacy controls being introduced to ensure Facebook complied with Europe’s general data protection regulation would be available to users globally, contrary to earlier news reports.

“We will make all the same controls and settings available everywhere not just Europe,” he said.

The updates come two weeks after the Observer revealed that the data analytics firm that worked with Donald Trump’s election team and the Brexit campaign acquired millions of profiles of US citizens and used it to build a software program to predict and influence voters. Facebook discovered the information had been harvested by a third party in late 2015, but failed to alert users at the time.

The data was collected through an app called thisisyourdigitallife, built by Cambridge University academic Aleksandr Kogan through his company Global Science Research in collaboration with Cambridge Analytica. Hundreds of thousands of users were paid a small fee to take a personality test and they consented to have their data collected.

However, the app also harvested the information of the participants’ friends, which allowed for the accumulation of data from tens of millions of Americans.

Following Facebook’s announcement of the 87m figure, Cambridge Analytica published a blog post stating that it had licensed data for “no more than 30m people from GSR” and “did not receive more data than this”.

Facebook first discovered that Kogan had improperly shared the information with Cambridge Analytica when a Guardian journalist contacted the company about it at the end of 2015. At the time Facebook asked Cambridge Analytica to delete the data and revoked Kogan’s access to the Facebook API, the interface through which third parties interact with the social network.

After the Observer contacted Facebook three weeks ago with testimony from a whistleblower stating that Cambridge Analytica had not deleted the data, Facebook has announced a series of measures to prevent future data leaks.